Commit Graph

25 Commits

Author SHA1 Message Date
Daniel Stenberg
9f5744a72f gnutls: removed dead code
Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:58 +02:00
Daniel Stenberg
9d64ab7d5a pinning: minor code style policing 2014-10-13 22:22:49 +02:00
Patrick Monnerat
357ff4d1dc Factorize pinned public key code into generic file handling and backend specific 2014-10-13 18:34:51 +02:00
moparisthebest
e644866caf GnuTLS: Implement public key pinning 2014-10-07 14:55:39 +02:00
Dan Fandrich
4d4dd7aea0 gtls: only define Curl_gtls_seed if Nettle is not being used 2014-08-03 11:18:08 +02:00
Daniel Stenberg
8dfd22089c vtls: make the random function mandatory in the TLS backend
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.

This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-30 00:05:47 +02:00
Daniel Stenberg
f069b40f9d gnutls: fix compiler warning
conversion to 'int' from 'long int' may alter its value
2014-07-15 21:28:10 +02:00
Dan Fandrich
9087b7e8f5 gnutls: detect lack of SRP support in GnuTLS at run-time and try without
Reported-by: David Woodhouse
2014-07-14 22:31:11 +02:00
David Woodhouse
98866008a9 gnutls: handle IP address in cert name check
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
2014-07-14 20:14:15 +02:00
Dan Fandrich
425459b8ae gnutls: improved error message if setting cipher list fails
Reported-by: David Woodhouse
2014-07-13 01:32:11 +02:00
Dan Fandrich
efc71583e7 gnutls: fixed a couple of uninitialized variable references 2014-07-12 01:31:12 +02:00
Dan Fandrich
3d2e1724cb gnutls: fixed compilation against versions < 2.12.0
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
2014-07-12 00:33:16 +02:00
Dan Fandrich
447c31ce9d gnutls: explicitly added SRP to the priority string
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
2014-07-12 00:11:44 +02:00
Dan Fandrich
baf8b57b1d gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
2014-07-11 23:21:31 +02:00
Daniel Stenberg
b99f8e8b4e gnutls: allow building with nghttp2 but without ALPN support
It might not be the most useful combo, but...
2014-05-28 00:30:23 +02:00
Alessandro Ghedini
345bfab518 gnutls: don't use deprecated type names anymore 2014-05-28 00:27:33 +02:00
Daniel Stenberg
386ed2d590 gtls: fix NULL pointer dereference
gnutls_x509_crt_import() must not be called with a NULL certificate

Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
2014-04-22 23:24:31 +02:00
Daniel Stenberg
ef813c7097 http2: remove _DRAFT09 from the NPN_HTTP2 enum
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
2014-03-31 08:40:24 +02:00
Fabian Frank
8f5a9147be gtls: honor --[no-]alpn command line switch
Disable ALPN if requested by the user.
2014-02-11 22:54:37 +01:00
Fabian Frank
4d8db595ca gtls: add ALPN support
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.

See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-04 09:48:27 +01:00
Fabian Frank
39f7e80a52 disable GnuTLS insecure ciphers
Make GnuTLS old and new consistent, specify the desired protocol, cipher
and certificate type in always in both modes. Disable insecure ciphers
as reported by howsmyssl.com. Honor not only --sslv3, but also the
--tlsv1[.N] switches.

Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323
2014-01-20 11:32:55 +01:00
Daniel Stenberg
4f334ba017 gtls: fix compiler warnings on conversions size_t => unsigned int 2014-01-19 23:26:01 +01:00
Steve Holme
f88f9bed00 vtls: Updated comments referencing sslgen.c and ssluse.c 2013-12-26 21:42:22 +00:00
Steve Holme
9aa6e4357a vtls: Fixed up include of vtls.h 2013-12-26 21:25:51 +00:00
Daniel Stenberg
a47c142a88 vtls: moved all TLS/SSL source and header files into subdir 2013-12-20 17:12:42 +01:00